QuotaGuard and Pantheon Integration Guide

QuotaGuard and Pantheon Integration Guide

QuotaGuard Static IPs allow your Pantheon WordPress and Drupal sites to send outbound traffic through a load-balanced pair of static IP addresses. Once set up, you can use QuotaGuard’s IPs to connect to firewalled payment gateways, databases, and APIs that require IP allowlisting.

You do not need QuotaGuard for internal Pantheon operations. Connections to Pantheon’s infrastructure, CDN, and internal services work without a proxy. QuotaGuard is for connecting to external services that require a known, static source IP address.

Why Pantheon Sites Need Static IPs

Pantheon uses an elastic cloud infrastructure where application containers migrate throughout the platform. Each container has a different hostname (not externally resolvable) and datacenter-assigned IP address. There is no way to predict what IP address your code will execute from.

From Pantheon’s documentation:

“Due to Pantheon’s cloud-based infrastructure, these outbound requests are sent via dynamic IP addresses. There is no way to predict what IP address your code will be executed from.”

This creates problems when your WordPress or Drupal site needs to connect to:

• Payment gateways like FirstData, Line Pay, or custom payment processors that require IP allowlisting
• LDAP / Active Directory authentication servers behind corporate firewalls
• CRM systems like Salesforce or HubSpot with IP-based access controls
• Banking and financial APIs with strict security requirements
• MongoDB Atlas and other databases with IP-based network access
• Partner APIs that only accept requests from known IP addresses

The result is connection failures and blocked requests that have nothing to do with your code. Your credentials are valid. Your module or plugin is configured correctly. The external service is simply blocking requests from Pantheon’s dynamic IP addresses.

QuotaGuard gives your Pantheon site a fixed, verifiable identity that partners can add to their firewall allowlists once.

Native Option: Secure Integration (Enterprise Only)

Pantheon offers Secure Integration (formerly Pantheon Enterprise Gateway) for static egress. Here’s how it compares to QuotaGuard:

Pantheon’s own blog acknowledges that Secure Integration “can be quite expensive” and may be “impractical” for connecting to external services. They even published a guide showing users how to set up their own proxy server on DigitalOcean as an alternative.

Use Secure Integration if you’re on an Enterprise plan and need to route all traffic through Pantheon’s managed infrastructure.

Use QuotaGuard if you’re on a Basic, Performance, or Elite plan without Secure Integration. Or if you want self-service setup without contacting support for each external service.

Getting Started

After creating a QuotaGuard account, you will be redirected to your dashboard where you can find your proxy credentials and static IP addresses.

Choose the right proxy region: Pantheon’s primary data center is hosted by Rackspace in Chicago, Illinois. For lowest latency, select QuotaGuard’s US-Central or US-East region.

Your proxy URL will look like this:

http://username:password@us-east-static-01.quotaguard.com:9293

Finding Your Static IPs: Your two static IPs are displayed in the QuotaGuard dashboard. Both IPs are active simultaneously for high availability. Add both to any firewall allowlists you’re configuring on the target service side.

WordPress Configuration

WordPress has built-in proxy support through constants defined in wp-config.php. This affects all HTTP requests made through WordPress’s HTTP API, including plugin/theme updates, REST API calls, WooCommerce payments, and any plugin using wp_remote_get() or wp_remote_post().

Step 1: Edit wp-config.php

Add the following constants to your wp-config.php file. Place them before the line that says /* That's all, stop editing! */.

/**
 * QuotaGuard Static IP Proxy Configuration
 * Routes outbound HTTP requests through static IPs for firewall allowlisting
 */
define('WP_PROXY_HOST', 'us-east-static-01.quotaguard.com');
define('WP_PROXY_PORT', '9293');
define('WP_PROXY_USERNAME', 'your-quotaguard-username');
define('WP_PROXY_PASSWORD', 'your-quotaguard-password');

// Bypass proxy for local and Pantheon internal traffic
define('WP_PROXY_BYPASS_HOSTS', 'localhost, 127.0.0.1, *.pantheonsite.io, *.pantheon.io');

Replace your-quotaguard-username and your-quotaguard-password with your credentials from the QuotaGuard dashboard.

Step 2: Deploy to Pantheon

Commit and push your changes:

git add wp-config.php
git commit -m "Add QuotaGuard proxy configuration"
git push origin master

Then deploy through your Pantheon workflow (Dev → Test → Live).

What Gets Proxied

With these constants set, all WordPress HTTP API requests automatically route through QuotaGuard:

• wp_remote_get() and wp_remote_post() calls
• Plugin and theme update checks
• REST API calls to external services
• WooCommerce payment gateway communications
• Any plugin using the WP_Http class

Environment-Specific Configuration

To use QuotaGuard only on your Live environment (saving quota during development):

/**
 * QuotaGuard Static IP Proxy Configuration
 * Only enabled on Live environment to preserve quota
 */
if (defined('PANTHEON_ENVIRONMENT') && PANTHEON_ENVIRONMENT === 'live') {
    define('WP_PROXY_HOST', 'us-east-static-01.quotaguard.com');
    define('WP_PROXY_PORT', '9293');
    define('WP_PROXY_USERNAME', 'your-quotaguard-username');
    define('WP_PROXY_PASSWORD', 'your-quotaguard-password');
    define('WP_PROXY_BYPASS_HOSTS', 'localhost, 127.0.0.1, *.pantheonsite.io, *.pantheon.io');
}

WooCommerce Payment Gateway Example

WooCommerce payment gateways automatically use the WordPress HTTP API. Once you configure the proxy constants, payment requests to gateways like Stripe, PayPal, or custom processors route through your static IPs.

No additional code changes are needed. The gateway plugin’s API calls will use your QuotaGuard static IPs automatically.

If you’re building a custom gateway or need to verify the proxy is active:

// Test that requests use your static IP
$response = wp_remote_get('https://ip.quotaguard.com');

if (!is_wp_error($response)) {
    $body = wp_remote_retrieve_body($response);
    $data = json_decode($body, true);
    error_log('Outbound IP: ' . $data['ip']);
}

Drupal 8/9/10 Configuration

Drupal 8 and later use the Guzzle HTTP client, which supports proxy configuration through settings.php.

Step 1: Edit settings.php

Add the following to your sites/default/settings.php file:

/**
 * QuotaGuard Static IP Proxy Configuration
 * Routes outbound HTTP requests through static IPs for firewall allowlisting
 */
$settings['http_client_config']['proxy']['http'] = 'http://your-username:your-password@us-east-static-01.quotaguard.com:9293';
$settings['http_client_config']['proxy']['https'] = 'http://your-username:your-password@us-east-static-01.quotaguard.com:9293';

// Bypass proxy for local and Pantheon internal traffic
$settings['http_client_config']['proxy']['no'] = [
    '127.0.0.1',
    'localhost',
    '.pantheonsite.io',
    '.pantheon.io',
];

Replace your-username and your-password with your credentials from the QuotaGuard dashboard.

Step 2: Deploy to Pantheon

Commit and push your changes:

git add sites/default/settings.php
git commit -m "Add QuotaGuard proxy configuration"
git push origin master

Then deploy through your Pantheon workflow.

Environment-Specific Configuration

To enable the proxy only on your Live environment:

/**
 * QuotaGuard Static IP Proxy Configuration
 * Only enabled on Live environment to preserve quota
 */
if (defined('PANTHEON_ENVIRONMENT') && PANTHEON_ENVIRONMENT === 'live') {
    $settings['http_client_config']['proxy']['http'] = 'http://your-username:your-password@us-east-static-01.quotaguard.com:9293';
    $settings['http_client_config']['proxy']['https'] = 'http://your-username:your-password@us-east-static-01.quotaguard.com:9293';
    $settings['http_client_config']['proxy']['no'] = [
        '127.0.0.1',
        'localhost',
        '.pantheonsite.io',
        '.pantheon.io',
    ];
}

Custom Module with Guzzle

If you’re building a custom Drupal module that makes HTTP requests:

use GuzzleHttp\Client;

/**
 * Makes a proxied HTTP request to an external API.
 */
function mymodule_call_external_api($endpoint) {
    $client = \Drupal::httpClient();
    
    try {
        $response = $client->get($endpoint);
        $data = json_decode($response->getBody(), TRUE);
        return $data;
    }
    catch (\Exception $e) {
        \Drupal::logger('mymodule')->error('API call failed: @message', [
            '@message' => $e->getMessage(),
        ]);
        return NULL;
    }
}

The \Drupal::httpClient() service automatically uses the proxy settings from settings.php. No additional configuration needed in your module code.

Drupal 7 Configuration

Drupal 7 uses a different configuration format for proxy settings.

Step 1: Edit settings.php

Add the following to your sites/default/settings.php file:

/**
 * QuotaGuard Static IP Proxy Configuration
 * Routes outbound HTTP requests through static IPs for firewall allowlisting
 */
$conf['proxy_server'] = 'us-east-static-01.quotaguard.com';
$conf['proxy_port'] = 9293;
$conf['proxy_username'] = 'your-quotaguard-username';
$conf['proxy_password'] = 'your-quotaguard-password';

// Bypass proxy for local traffic
$conf['proxy_exceptions'] = array('127.0.0.1', 'localhost');

Note: Do not include http:// in the proxy_server value. Drupal 7 adds this automatically.

Step 2: Deploy to Pantheon

Commit and push your changes, then deploy through your Pantheon workflow.

Environment-Specific Configuration

/**
 * QuotaGuard Static IP Proxy Configuration
 * Only enabled on Live environment
 */
if (defined('PANTHEON_ENVIRONMENT') && PANTHEON_ENVIRONMENT === 'live') {
    $conf['proxy_server'] = 'us-east-static-01.quotaguard.com';
    $conf['proxy_port'] = 9293;
    $conf['proxy_username'] = 'your-quotaguard-username';
    $conf['proxy_password'] = 'your-quotaguard-password';
    $conf['proxy_exceptions'] = array('127.0.0.1', 'localhost');
}

Direct PHP cURL Configuration

For custom PHP code that doesn’t use WordPress or Drupal’s HTTP clients, configure cURL directly:

<?php
/**
 * Makes a proxied HTTP request using cURL directly.
 */
function make_proxied_request($url) {
    $proxy_host = 'us-east-static-01.quotaguard.com';
    $proxy_port = 9293;
    $proxy_user = 'your-quotaguard-username';
    $proxy_pass = 'your-quotaguard-password';
    
    $ch = curl_init();
    
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_PROXY, $proxy_host . ':' . $proxy_port);
    curl_setopt($ch, CURLOPT_PROXYUSERPWD, $proxy_user . ':' . $proxy_pass);
    
    // Recommended timeout settings
    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
    curl_setopt($ch, CURLOPT_TIMEOUT, 30);
    
    $response = curl_exec($ch);
    
    if (curl_errno($ch)) {
        $error = curl_error($ch);
        curl_close($ch);
        throw new Exception('cURL error: ' . $error);
    }
    
    curl_close($ch);
    return $response;
}

// Example usage
try {
    $result = make_proxied_request('https://api.example.com/data');
    $data = json_decode($result, true);
} catch (Exception $e) {
    error_log('Request failed: ' . $e->getMessage());
}

POST Request with JSON Body

<?php
function make_proxied_post($url, $data) {
    $proxy_host = 'us-east-static-01.quotaguard.com';
    $proxy_port = 9293;
    $proxy_user = 'your-quotaguard-username';
    $proxy_pass = 'your-quotaguard-password';
    
    $ch = curl_init();
    
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
    curl_setopt($ch, CURLOPT_HTTPHEADER, array(
        'Content-Type: application/json',
        'Accept: application/json'
    ));
    curl_setopt($ch, CURLOPT_PROXY, $proxy_host . ':' . $proxy_port);
    curl_setopt($ch, CURLOPT_PROXYUSERPWD, $proxy_user . ':' . $proxy_pass);
    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
    curl_setopt($ch, CURLOPT_TIMEOUT, 30);
    
    $response = curl_exec($ch);
    
    if (curl_errno($ch)) {
        $error = curl_error($ch);
        curl_close($ch);
        throw new Exception('cURL error: ' . $error);
    }
    
    curl_close($ch);
    return $response;
}

Database Connections (SOCKS5)

For non-HTTP protocols like direct database connections, use QuotaGuard’s SOCKS5 proxy on port 1080.

When to Use SOCKS5

Standard HTTP proxies only handle HTTP/HTTPS traffic. If your Pantheon site needs to connect to:

• External PostgreSQL databases
• External MySQL databases
• MongoDB clusters
• SFTP servers
• Raw TCP connections

You need SOCKS5 proxying.

PHP with SOCKS5

<?php
/**
 * Makes a proxied connection using SOCKS5.
 */
function make_socks5_request($url) {
    $socks_host = 'us-east-static-01.quotaguard.com';
    $socks_port = 1080;
    $socks_user = 'your-quotaguard-username';
    $socks_pass = 'your-quotaguard-password';
    
    $ch = curl_init();
    
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
    curl_setopt($ch, CURLOPT_PROXY, $socks_host . ':' . $socks_port);
    curl_setopt($ch, CURLOPT_PROXYUSERPWD, $socks_user . ':' . $socks_pass);
    
    $response = curl_exec($ch);
    curl_close($ch);
    
    return $response;
}

Database Connections

For connecting to external databases that require IP allowlisting, you have two options:

Option 1: Use a database provider’s HTTP API (if available). MongoDB Atlas, Supabase, and others offer REST APIs that work with the standard HTTP proxy.

Option 2: Contact QuotaGuard support for QGTunnel configuration. QGTunnel creates local port mappings that route database traffic through SOCKS5. This requires additional setup specific to your environment.

Common Use Cases

Payment Gateway Integration

Many payment processors require IP allowlisting for API access:

WordPress (WooCommerce):

Once the proxy constants are set in wp-config.php, all WooCommerce payment gateway API calls automatically route through your static IPs. No code changes needed.

Drupal (Commerce):

Once the proxy settings are in settings.php, Drupal Commerce payment gateway modules use the proxy automatically via Guzzle.

LDAP / Active Directory Authentication

For sites using LDAP authentication against corporate directories:

1. Configure the proxy in wp-config.php or settings.php
2. Add your QuotaGuard static IPs to your LDAP server’s firewall allowlist
3. The LDAP module’s outbound connections will route through your static IPs

Note for Drupal 7: The LDAP module may require a patch to fully support proxy settings. Check the module’s issue queue for proxy-related patches.

External API Integrations

For custom integrations with external APIs (CRMs, ERPs, third-party services):

// WordPress example using wp_remote_get with proxy
$response = wp_remote_get('https://api.partner.com/v1/data', array(
    'headers' => array(
        'Authorization' => 'Bearer ' . $api_key,
        'Content-Type' => 'application/json',
    ),
    'timeout' => 30,
));

if (!is_wp_error($response)) {
    $body = wp_remote_retrieve_body($response);
    $data = json_decode($body, true);
}

The proxy is applied automatically based on your wp-config.php settings.

Testing Your Implementation

Verify your static IP configuration by requesting ip.quotaguard.com.

WordPress Test

Add this to a custom plugin or theme’s functions.php temporarily:

add_action('admin_init', function() {
    if (isset($_GET['test_quotaguard'])) {
        $response = wp_remote_get('https://ip.quotaguard.com');
        
        if (is_wp_error($response)) {
            wp_die('Error: ' . $response->get_error_message());
        }
        
        $body = wp_remote_retrieve_body($response);
        wp_die('Your static IP: ' . $body);
    }
});

Then visit: https://your-site.com/wp-admin/?test_quotaguard=1

Drupal Test

Create a simple controller or use Drush:

// In a custom module
use Drupal\Core\Controller\ControllerBase;
use Symfony\Component\HttpFoundation\JsonResponse;

class QuotaGuardTestController extends ControllerBase {
    public function test() {
        $client = \Drupal::httpClient();
        
        try {
            $response = $client->get('https://ip.quotaguard.com');
            $data = json_decode($response->getBody(), TRUE);
            
            return new JsonResponse([
                'status' => 'success',
                'static_ip' => $data['ip'],
            ]);
        }
        catch (\Exception $e) {
            return new JsonResponse([
                'status' => 'error',
                'message' => $e->getMessage(),
            ], 500);
        }
    }
}

Expected Response

{"ip":"52.34.188.175"}

The returned IP should match one of your two static IPs shown in the QuotaGuard dashboard. Run the test multiple times to see both IPs in action (load-balanced).

Latency Considerations

Using QuotaGuard adds a network hop to your requests:

For most payment gateway and API integrations, this latency is negligible. The connection setup time is typically dominated by SSL handshake and API processing, not the proxy hop.

Recommendations:

1. Match regions: Use US-Central or US-East for Pantheon’s Chicago data center
2. Set reasonable timeouts: Increase CURLOPT_TIMEOUT slightly to account for the proxy hop
3. Use bypass hosts: Always bypass localhost and *.pantheonsite.io to keep internal traffic fast

Troubleshooting

407 Proxy Authentication Required

Your credentials are incorrect. Verify:

1. Username and password match your QuotaGuard dashboard
2. No extra spaces or special characters were copied incorrectly
3. For Drupal 7, the proxy_server value does not include http://

Connection Timeout

1. Verify the QuotaGuard proxy hostname is correct
2. Check that port 9293 is used for HTTP proxy connections
3. Increase your timeout settings (CURLOPT_TIMEOUT)
4. Verify Pantheon can reach external networks (check Pantheon status)

Wrong IP Address Returned

The proxy may not be configured correctly:

1. Verify the constants/settings are in the correct file and location
2. Check that the configuration is not overridden elsewhere
3. For WordPress, ensure constants are defined before the ABSPATH line
4. Clear any caching (page cache, object cache) and test again

Proxy Not Applied to Specific Plugin/Module

Some plugins or modules use their own HTTP clients instead of the CMS’s built-in client:

1. Check the plugin’s documentation for proxy settings
2. For WordPress, look for filters like http_request_args to inject proxy settings
3. For Drupal, verify the module uses \Drupal::httpClient() and not a custom Guzzle instance

Drupal 7 LDAP Issues

The Drupal 7 LDAP module may not respect global proxy settings by default. Check the module’s issue queue for proxy-related patches, or configure the proxy directly in the LDAP module’s settings if available.

Pantheon Environment Detection

Pantheon provides environment constants you can use to conditionally enable the proxy:

// Available constants
PANTHEON_ENVIRONMENT  // 'dev', 'test', 'live', or multidev name
PANTHEON_SITE         // Site UUID
PANTHEON_SITE_NAME    // Site machine name

// Example: Only proxy on live
if (defined('PANTHEON_ENVIRONMENT') && PANTHEON_ENVIRONMENT === 'live') {
    // Enable proxy
}

// Example: Proxy on live and test
if (defined('PANTHEON_ENVIRONMENT') && in_array(PANTHEON_ENVIRONMENT, ['live', 'test'])) {
    // Enable proxy
}

This helps you preserve quota during development while ensuring production traffic uses static IPs.

QuotaGuard Static vs QuotaGuard Shield

QuotaGuard offers two products for static IPs:

For most Pantheon sites, QuotaGuard Static provides everything you need. Choose Shield if you’re handling protected health information (PHI), payment card data, or have specific compliance requirements where end-to-end encryption through the proxy is mandatory.

Ready to Get Started?

Get in touch or create a free trial account.

Try QuotaGuard Now

View Pantheon Integration Features

Contact Support